Storage system

ABSTRACT

A storage network system includes a storage device including a volume for recording data, and a network connection device, and a host including a device for reading/writing data from/into the volume through a network. The host includes a security inspection program for performing security inspection of data communicated through a network and generating an inspection log including a result of the security inspection, inspection log acquisition means for acquiring the inspection log generated by the security inspection program whenever occasion demands, and copy command issuing means for issuing a copy command to copy data from the volume to another volume when there is no abnormality in the content of the inspection log concerning the volume.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority from Japanese applicationJP2004-255143 filed on Sep. 2, 2004, the content of which is herebyincorporated by reference into this application.

BACKGROUND

The present invention relates to a method for copying volume data in astorage device and particularly to a method for achieving safe copyingof volume data without illegal data.

There has been recently spread SAN (Storage Area Network) in which astorage device is connected to a computer (hereinafter also referred toas host) by a network so that the host is allowed to read/write datafrom/into a volume in the storage device. There has been also spreadserverless backup for achieving data copying by using the high speed ofthe SAN widely without interposition of LAN (Local Area Network). Byserverless backup, data can be copied from one volume in a storagedevice to another volume in the storage device or a volume in anotherstorage device through the SAN.

For backup/restoration based on volume copying of the storage device, itis essential that security inspection is performed to check backdoordata (hereinafter referred to as illegal data), such as infection ofviruses or worms, falsification of data or illegal interpolation ofdata, in the file level. In the serverless backup, it is howeverdifficult to perform security inspection in the file level because theserverless backup is carried out by block data based on SCSI (SmallComputer System Interface) or the like. Therefore, in “InternetSecurity” (written by Othmar Kays, issued by International ThomsonPublishing Japan), the inspection is carried out not on the storagedevice but on the host. The host inspects/monitors illegal data by asecurity inspection program such as an antivirus tool or an IDS(Intrusion Detection System) installed in the host per se. The hostchecks safety of data in a volume as a subject of inspection byinspection/monitoring based on the security inspection program.

In JP-A-2004-46435, a virus check function is provided to an exclusivecontroller so that virus check is performed on a replicated volumecopied from a volume as a subject of inspection. If there is no virusdetected by the virus check, the controller instructs the storage deviceto generate a new-level backup volume by copying the replicated volume.Incidentally, the term “new-level backup volume” means a volume in whicha replica of data stored in a certain volume is stored (hereinafterreferred to as replicated volume) and means each of volumes replicatedwhen the replica of data is made at regular intervals.

SUMMARY

A problem concerning the “Internet Security” will be described below. Asdescribed above, the security inspection programs can be roughlyclassified into antivirus tools and IDSs. In the former, there is apossibility that illegal data inclusive of viruses will be written inthe volume in accordance with the providing state of an antivirusprogram. In the latter, there is a possibility that illegal data will bewritten in the volume because only falsification or illegalinterpolation of data is detected. That is, generally, the securityinspection program cannot prevent illegal data perfectly from beingwritten in the volume. On this occasion, the storage device copies thevolume for replication at intervals of a predetermined period togenerate a plurality of new-level backup volumes continuously regardlessof the result of inspection based on the security inspection program.Accordingly, if illegal data is included in the volume for replication,the storage device generates new-level backup volumes including suchillegal data continuously. In this case, the following problem occurs.

First, because the storage device generates unnecessary new-level backupvolumes including illegal data continuously, wastefulness of resourcesoccurs. According to occasion, a new-level backup volume may beoverwritten because the new-level backup volume comes to where thenew-level backup volume started. If overwriting occurs, it is difficultto restore data to a normal state because there is a possibility thatillegal data will be included in all new-level backup volumes.

At the time of restoring data, an administrator has to carry out acomplex operation of temporarily stopping the process of generating anew-level backup volume, retrieving and verifying safe data from aplurality of new-level backup volumes, restoring data actually, deletingunnecessary new-level backup volumes including illegal data, andrestarting the process of generating a new-level backup volume. For thisreason, both increase in man-hour and delay in work occur. As a result,there is a problem that reduction in service occurs for a long time.

A problem concerning JP-A-2004-46435 will be described below. Thecontroller having a virus check function performs virus check onreplicated volumes in which a replica of data stored in a volume forreplication is stored. In this case, a long time is required forchecking the replicated volumes individually because all data in eachreplicated volume need to be checked sequentially. For this reason, thecheck lacks real-time practicability. Moreover, because a long time isrequired for checking one replicated volume, there is a problem that aplurality of controllers need to be provided in a large-scale site whichmanages a large number of replicated volumes. In addition, if a virus iswritten in a volume for replication during checking, speedy datarestoration cannot be performed because the virus cannot be detecteduntil completion of next checking.

The controller can check viruses but cannot check falsification orillegal interpolation of data by using an IDS or the like. The IDS holdsdata in a normal state at a certain point of time and checksfalsification, etc. of data by comparing the normal-state data with dataat the present time. The controller, however, cannot checkfalsification, etc. of data because the normal-state data is generallymanaged on each host.

Moreover, as described above, the controller controls the storage deviceto generate a replicated volume copied from a volume for replication. Onthis occasion, the storage device generates the replicated volumewithout awareness of data matching with an upper application such as adatabase. In online backup with the warrant of data matching, areplicated volume needs to be generated after all data concerning onetransacttion such as a transaction in a database are stored in a volumefor replication. For achievement of this, it is necessary to generate areplicated volume based on an instruction of an application programinstalled on the host and accommodated to online backup. It is howeverimpossible. to perform backup with the warrant of data matching becausethe controller has no online backup function. There is therefore aproblem that the man-hour required for restoring data increases.

In a system comprising a host, a storage device, and a management serverconnected to the host and the storage device through a network, themanagement server, the host or the storage device includes: means ofacquiring a result of inspection by a security inspection program on thehost whenever occasion arises; means of instructing the storage deviceto copy data from a volume for replication to which the host isconnected to another volume when the present time is a backup time andno illegal data is detected in the content of the acquired result ofinspection up to the present time; and means of instructing the storagedevice to copy data from the other volume to the volume for replicationregardless of backup time if illegal data is detected in the content ofthe acquired result of inspection.

According to another embodiment of the invention, in a storage networksystem comprising: a storage device including volumes for storing data,and network communication means; and a host including means ofreading/writing data from/into the volumes through a network, the hostfurther includes: a security inspection program for generating aninspection log inclusive of a result of security inspection byperforming security inspection of data communicated through the network;inspection log acquisition means for acquiring the inspection loggenerated by the security inspection program whenever occasion arises;and copy command issue means for issuing a copy command when there is noillegal data detected in the inspection log concerning the volume forreplication at the time of copying data from the volume to anothervolume. Other embodiments of the invention will become clear from thefollowing description in this specification.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of configuration of a system;

FIG. 2 is a diagram showing an example of configuration of a host;

FIG. 3 is a diagram showing an example of configuration of a storagedevice;

FIG. 4 is a diagram showing an example of configuration of a managementserver;

FIG. 5 is a flow chart showing an example of processing flow of a backupcontrol program;

FIG. 6 is a view showing an example of a volume list for replication;

FIG. 7 is a view showing an example of control data;

FIG. 8 is a view showing an example of a multi-level backup volume list;

FIG. 9 is a view showing an example of an inspection log;

FIG. 10 is a view showing an example of control data;

FIG. 11 is a diagram showing an example of configuration of a system;

FIG. 12 is a diagram showing an example of configuration of a host;

FIG. 13 is a diagram showing an example of configuration of a system;

FIG. 14 is a diagram showing an example of configuration of a storagedevice;

FIG. 15 is a diagram showing an example of configuration of a system;

FIG. 16 is a diagram showing an example of configuration of a host;

FIG. 17 is a flow chart showing an example of processing flow of abackup control program;

FIG. 18 is a diagram showing an example of configuration of a system;

FIG. 19 is a diagram showing an example of configuration of a firststorage device;

FIG. 20 is a diagram showing an example of configuration of a secondstorage device;

FIG. 21 is a flow chart showing an example of processing flow of abackup control program; and

FIG. 22 is a view showing an example of a multi-level backup volumelist.

DESCRIPTION OF THE EMBODIMENTS

A storage network system and a configuration for embodying a managementserver, a host and a storage device will be described with reference tothe drawings.

Embodiment 1 will be described. FIG. 1 shows an example of systemconfiguration of a storage network system according to this embodiment.This system comprises a host 100, a storage device 400, and a managementserver 500. The host 100, the storage device 400 and the managementserver 500 are connected to one another through a network 300. The host100 can be connected to a group of clients 600 through a network 200.The management server 500 can be connected to an administrator device900. The management server 500 performs management of copy time in thestorage device 400, acquisition of information of a volume to be copied,acquisition of a result of virus check by the host 100, and transmissionof a copy command (inclusive of a backup command and a restore command)to the storage device 400.

The host in Embodiment 1 will be described. FIG. 2 shows details of thehost 100. The host 100 includes: a processing portion 101 having a CPU,etc.; a storage portion 102 having a storage device such as an RAM;network communication devices 103 and 104; an input device 105 forinputting data from an input device such as a keyboard; an output device106 for outputting data to an output device such as a display; and a bus107 by which the respective portions and devices 101 to 106 areconnected to one another. The storage portion 102 has: an OS program 108for memory management, task management, etc. executed by the processingportion 101; a data communication control program 109 for communicationwith the storage device 400; an application program 110 for Web, mail,etc. operated on the OS program 108; and a security inspection program111 which will be described later. The storage portion 102 further has amount volume list 112 inclusive of a volume list for replication to makea new-level backup volume list, which will be described later. The host100 is physically connected to the network 200 by the networkcommunication device 103 so that a network communication processconcerning the host 100 is carried out in a communication protocol ofthe network 200. For example, the communication protocol is IP (InternetProtocol). The host 100 is also physically connected to the network 300by the network communication device 104 so that a network communicationprocess concerning the host 100 is carried out in a communicationprotocol of the network 300. For example, the communication protocol isIP. The host 100 communicates with the storage device 400 (which will bedescribed later) by iSCSI (Internet Small Computer Interface) throughthe network 300. The data communication control program 109 carries outa process concerning the iSCSI communication. Here, the host 100executing the data communication control program 109 logicallycorresponds to an iSCSI initiator (the name of which will be hereinafterreferred to as iqn.a.com:hst1). That is, the host 100 executes the datacommunication control program 109 (by the processing portion 101), sothat the data communication control program 109 operates as an iSCSIinitiator.

The storage device in Embodiment 1 will be described. FIG. 3 showsdetails of the storage device 400. The storage device 400 includes astorage controller 401 for controlling the storage device 400 as awhole. The storage controller 401 has: a processing portion 402 having aCPU, etc.; a storage portion 403 having a storage device such as an RAM;a network communication device 404; a storage connection device 405; anda bus 406 by which the respective portions and devices 402 to 405 areconnected to one another. The storage device 400 further includes aphysical disk group 407, and a bus 408 by which the storage controller401 and the physical disk group 407 are connected to each other. Thephysical disk group 407 forms logical units (hereinafter referred to asvolumes) as logical storages for storing data actually by partiallycombining data storage regions of physical disks. The logical units arerepresented by volumes 409 to 412 in FIG. 3. The storage portion 403has: a storage control program 413 for managing access to the volumes409 to 412; a data replication program 414 for a data copying processfrom one volume to another volume; and a multi-level backup volume list415 indicating log information concerning processing by the datareplication program 414. The storage control program 413 and the datareplication program 414 are carried out by the processing portion 402.The storage device 400 is physically connected to the network 300 by thenetwork communication device 404, so that a network communicationprocess concerning the storage device 400 is carried out in acommunication protocol of the network 300. For example, thecommunication protocol is IP. As described above, the storage device 400communicates with the host 100 by iSCSI. The storage device 400executing the storage control program 413 logically corresponds to aniSCSI target (the name of which will be hereinafter referred to asiqn.a.com:str1) for carrying out a process concerning the iSCSIcommunication. The storage device 400 communicates with the host 100through the network communication device 404.

The storage control program 413 equivalent to an iSCSI target isexecuted by the processing portion 402 of the storage controller 401 sothat the storage device 400 can communicate with the host 100 by iSCSI.The data communication control program 109 (iSCSI initiator) of the host100 starts communication with the storage control program 413 throughthe network 300. For example, the storage control program 413 limitscommunication of the data communication control program 109 throughitself to the volumes 409 to 412. Specifically, the iSCSI initiatoriqn.a.com:hst1 of the host 100 can carry out iSCSI communication withthe iSCSI target iqn.a.com:str1 of the storage device 400 and can beconnected to the volumes 409 to 412 through the iSCSI target. Therespective volumes can be identified on the basis of LUN (Logical UnitNumber). For example, LUN=0 is allocated to the volume 409, LUN=1 isallocated to the volume 410, LUN=2 is allocated to the volume 411, andLUN=3 is allocated to the volume 412. Incidentally, the aforementionedprocessing can be achieved by an existing technique.

For the sake of convenience of description, it is assumed that the host100 is iSCSI-connected to the volume 409 (LUN=0) by the aforementionedprocessing, and that the OS program 108 and the application program 110on the host 100 carry out reading/writing of data from/into the volume409. A method used in the host 100 for reading/writing data will bedescribed later specifically.

In the host 100, the OS program 108, the application program 110 and thesecurity inspection program 111 are always executed by the processingportion 101. Although description will be made while each program isregarded as a subject executing a process, the processing portionexecuting the program executes the process actually. As shown in FIG. 1,the application program 110 exchanges data with a client group 600connected to the network 200. The data exchange is exchange of dataconcerning a service provided to the client group 600 by the applicationprogram 110 shown in FIG. 2. Description will be made on the assumptionthat the service provided by the application program 110 is HTTP (HyperText Transfer Protocol). The client group 600 sends request data (suchas an HTTP GET method, etc.) to the application program 110 through thenetwork 200, for example, to acquire a certain Web content. Uponreception of the request data through the network communication device103 and the OS program 108, the application program 110 reads dataconcerning the designated Web content through the OS program 108 andtransfers the data to the client group 600 through the network 200. Onthis occasion, the OS program 108 performs a process of readingnecessary data from the volume 409 having the Web content stored thereinby using the data communication control program 109 for achieving iSCSIcommunication. The OS program 108 identifies the Web content by a filename (e.g. /data/html/index.html) so that a device name (e.g. /dev/sdh,corresponding to an LU) in which a storage destination partition (/data)of the file is allocated and which is identified on the OS program 108can be deduced from the file name. The OS program 108 can further deducethe iSCSI initiator name (iqn.a.com:hst1) held by the data communicationcontrol program 109, the iSCSI target name (iqn.a.com:str1) as thedestination of connection and the LUN (in this example, LUN=0 indicatingthe volume 409), concerning iSCSI communication using the device name.When iSCSI communication is carried out on the basis of theaforementioned information, reading/writing of necessary data can beachieved. The aforementioned processing can be achieved by an existingtechnique. As a result, the application program 110 carries outreading/writing of data stored in the volume 409 through the OS program108 and the data communication control program 109.

Incidentally, iSCSI communication operates on the IP network. In thiscase, it is necessary to acquire an IP address as informationcommunicatable on the IP network from the iSCSI initiator name and theiSCSI target name. An iSNS (Internet Storage Name Service) server is anexisting technique for achieving the aforementioned processing. The host100, the storage device 400 and the management server 500 which will bedescribed later can retrieve an IP address from the iSCSI initiator nameand the iSCSI target name (called iSCSI name) by inquiring of the ISNSserver (the iSCSI target has a TCP port number waiting for iSCSIcommunication). As a result, iSCSI communication can be achieved on theIP network.

On this occasion, the security inspection program 111 always inspectscommunication data which the OS program 108 and the application program110 exchange with the client group 600 and the storage device 400(volume 409). The security inspection program 111 for carrying out theinspection shows a program such as an antivirus tool for detecting andeliminating viruses, worms, etc. or IDS for detecting illegalfalsification of data such as Web contents and illegal access to thehost 100. The security inspection program 111 can be achieved by anexisting technique. The illegal data 700 and 701 in FIG. 1 showcommunication data concerning the viruses and worms, illegalfalsification and illegal access. The client group 600 sends the illegaldata 700 and 701. When the security inspection program 111 includes anantivirus program for eliminating viruses and worms as represented bythe illegal data 700 in FIG. 1, data can be eliminated without writingof the illegal data 700 into the volume 409. The illegal data 701 ishowever written into the volume 409 because the security inspectionprogram 111 cannot cope with the illegal data 701 indicating otherviruses and worms, illegal falsification and illegal access. On thisoccasion, the security inspection program 111 detects writing of theillegal data 701 into the volume 409 as shown in FIG. 1, generates aninspection log 800 for indicating the writing of the illegal data 701and sends the inspection log 800 to the management server 500 (whichwill be described later) whenever the writing of the illegal data 701 isdetected.

The management server in Embodiment 1 will be described below. FIG. 4shows details of the management server 500. The management server 500includes: a processing portion 501 having a CPU, etc. and, for example,serving a backup controller; a storage portion 502 having a storagedevice such as an RAM; a network communication device 503; an inputdevice 504 for inputting data from an input device such as a keyboard;an output device 505 for outputting data to an output device such as adisplay; and a bus 506 by which the respective portions and devices 501to 505 are connected to one another. The storage portion 502 has: an OSprogram 507 for memory management, task management, etc. executed by theprocessing portion 501; a backup control program 508 operated on the OSprogram 507; and log data 509 for temporarily storing the inspection log800 shown in FIG. 1. The management server 500 is physically connectedto the network 300 by the network communication device 503, so that themanagement server 500 performs a process for communication with the host100 and the storage device 400 (e.g. in the IP protocol).

The management server 500 performs acquisition of a safe new-levelbackup volume list based on a result of the virus check by the securityinspection program 111 and transmission of a copy command (inclusive ofa restore command) based on the safe new-level backup volume list forthe volume in the storage device 400 from/into which the host 100 isreading/writing data. To achieve the aforementioned process, themanagement server 500 executes the backup control program 508 to collectthe mount volume list 112 from the host 100. In addition, the managementserver executes the backup control program 508 to acquire the inspectionlog 800 as a result of the inspection by the security inspection program111 and issues a necessary command such as a command to make a new-levelbackup volume or a restore command to the storage device 400. The backupcontrol program 508 will be described below in detail.

FIG. 5 is a flow chart showing an example of the processing procedure ofthe backup control program. In step 511 shown in FIG. 5, the backupcontrol program 508 acquires a mount volume list 112 from the host 100.The mount volume list 112 is managed by the host 100 and includesinformation concerning which volume is used as a subject of acquisitionof a new-level backup volume. The mount volume list 112 includes iSCSIinitiator names, iSCSI target names and LUNs, concerning the volumes towhich the host 100 is connected. An existing technique can be used sothat the mount volume list 112 can be acquired by the OS program 108. Itis assumed now that the host 100 is connected to the volume 409 and isreading/writing data from/into the volume 409. The host 100 sends themount volume list 112 to the backup control program 508 of themanagement server 500 by using an existing technique such as Syslog. Thebackup control program 508 collects the mount volume list 112 receivedfrom respective hosts including the host 100 to thereby generate avolume list 510 for replication. FIG. 6 shows an example of the formatof the volume list 510 for replication. The volume list 510 forreplication includes information concerning the iSCSI initiator name inthe volume of the storage device from/into which the host isreading/writing data by iSCSI communication, the iSCSI target name onthe storage device side, and LUN. For example, information concerningthe volume 409 to which the host 100 is connected is shown in the firstline in FIG. 6 and corresponds to the mount volume list 112 managed bythe host 100. Information concerning another volume to which the host100 is connected (e.g. LUN=7 in the storage device 400) as shown in thesecond line in FIG. 6 and information concerning another volume to whichanother host (iSCSI initiator name: iqn.a.com:hst2) is connected asshown in the third line in FIG. 6 can be also managed. By theaforementioned process, the backup control program 508 can recognizethat the volume 409 to which the host 100 is connected (and the volumeshown in the second line in FIG. 6) is a volume for replication to makea new-level backup volume.

In step 512 shown in FIG. 5, the backup control program 508 waits forreception of the inspection log 800 generated by the security inspectionprogram 111. The security inspection program 111 sends the inspectionlog 800 to the backup control program 508 through the network 300 byusing an existing technique such as Syslog. The backup control program508 stores the inspection log 800 received via Syslog as log data 509suitably. If there is no new inspection log 800 received at the presenttime, the backup control program 508 goes to step 513. If there is a newinspection log 800 received, the backup control program 508 goes to step516.

As described above, the inspection log 800 is sent to the backup controlprogram 508 whenever the security inspection program 111 detects illegaldata. Accordingly, if there is no new inspection log 800 received inthis step, the backup control program 508 goes to step 513 because theresult of security inspection concerning the host 100 is normal. Ifthere is a new inspection log 800 received, the backup control program508 goes to step 516 because the inspection log 800 indicates that theresult of security inspection concerning the host 100 is abnormal. Bythe aforementioned procedure, the backup control program 508 canrecognize the result of security inspection concerning the host 100 inreal time.

In step 513 shown in FIG. 5, the backup control program 508 checkswhether the present time is a backup time based on a predeterminedbackup period or not. The backup control program 508 manages informationcorresponding to a backup period, for example, of 5 minutes. The backupperiod can be set by the administrator device 900 or administratorthrough the input device 504 in advance. The backup control program 508judges from the present time and the backup period information whetherthe present time is a backup time or not. If the present time is abackup time, the backup control program 508 goes to step 514. Otherwise,the backup control program 508 goes back to step 512.

In step 514 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 in which a necessary processing command to be issuedto the storage device having the volume for replication to make anew-level backup volume is written. When there is no inspection log 800received and the present time is a backup time at the point of time thatprocessing in this step is completed, control data 1000 in which acommand to copy data from the volume for replication to another volumeis written is issued to the storage device by the backup control program508.

The backup control program 508 uses the volume list 510 for replicationto specify the storage device having the volume for replication. Asdescribed above, copying of the volume for replication is executed whenthere is no inspection log 800 received for the volume. As will bedescribed later in detail, the inspection log 800 includes informationsuch as iSCSI initiator names, iSCSI target names and LUNs, concerningthe volume in which illegal data is detected, as shown in FIG. 9.Accordingly, the backup control program 508 can specify volumes havingno illegal data detected from the three pieces of information in theinspection log 800 received up to the present time and the volume list510 for replication. Because there is no inspection log 800 received forthe volume 409 in this example, the backup control program 508 can issuethe control data 1000 to the storage device 400 having the volume 409and identified by the iSCSI target name of iqn.a.com:str1 (at the sametime, this rule applies to the second and third lines shown in FIG. 6but the detailed description of the second and third lines will beomitted).

FIG. 7 shows an example of the format of the control data. The controldata 1000 shown in FIG. 7 includes information such as the iSCSIinitiator name concerning the volume 409, the iSCSI target name as adestination of connection and the LUN, specified by the aforementionedprocess. The control data 1000 further includes the content of actualprocessing (e.g. to make a new-level backup volume) concerning eachvolume for replication. Accordingly, as shown in FIG. 7, the controldata 1000 includes information such as the iSCSI target name“iqn.a.com:str1” and LUN=0 in the storage device 400, which indicatesthe volume 409. The backup control program 508 sends the control data1000 to the storage device 400 through the network 300, for example, bySNMP Trap.

In step 515 shown in FIG. 5, when the control data 1000 is received bythe storage controller 401 provided in the storage device 400, thereceived control data 1000 is sent to the data replication program 414to perform the following volume copying process.

The data replication program 414 copies data from one volume on thestorage device 400 to another volume on the storage device 400. Thisprocess can be achieved by an existing technique. In the storagecontroller 401, the data replication program 414 is executed by theprocessing portion 402 to carry out a process of copying data from onevolume on the storage device 400 to another volume on the storage device400 through the storage connection device 405. The data replicationprogram 414 copies data from the volume 409 allowed to be specified onthe basis of the control data 1000 to a volume (LUN=1) 410 which is notused at the present time. Then, the data replication program 414 writeslog information indicating completion of copying of data from the volume409 to the volume 410, into the multi-level backup volume list 415. FIG.8 shows an example of the format of the multi-level backup volume list.As shown in FIG. 8, the multi-level backup volume list 415 includesinformation such as iSCSI target names and LUNs of copy source volumes,iSCSI target names and LUNs of copy destination volumes andbackup-making time. In this example, the log information corresponds toinformation on the first line. After completion of the copying, thestorage controller 401 sends a message indicating the completion ofprocessing to the backup control program 508 through the network 300,for example, by using SNMP Trap or the like.

After the completion of the aforementioned processing, the backupcontrol program 508 goes back to step 512 to repeat the aforementionedprocedure. When the processing goes from step 512 to step 515 again, thebackup control program 508 acquires a copy of the volume 409 again. Asdescribed above, the data replication program 414 copied data from thevolume 409 to the volume 410. In this processing, the data replicationprogram 414 copies data from the volume 409 to another volume (LUN=2)411. In the next processing, the data replication program 414 copiesdata from the volume 409 to another volume (LUN=3) 412. In eachprocessing, the data replication program 414 writes log information inthe multi-level backup volume list 415 (log information corresponds tothe second or third line in FIG. 8). By repeating the aforementionedprocess, the volumes 410 to 412 are used as new-level backup volumes forthe volume 409 in accordance with the backup period managed by thebackup control program 508 described above.

By the aforementioned process, the storage device 400 can generatenew-level backup volumes for the volume 409 easily and in real timewhile safety can be warranted on the basis of the result of inspectionby the security inspection program 111 as described above. Incidentally,as described above, the backup control program 508 manages the volumelist 510 for replication shown in FIG. 6. A plurality of volumesconnected to one host and information concerning a plurality of hostscan be managed in the volume list 510 for replication. Accordingly,generation of the new-level backup volumes under the aforementionedcondition by the backup control program 508 can be achieved by the sameprocess as described above. Although description has been made on thecase where there is no new inspection log acquired in step 512, thiscase may be replaced by the case where the result of inspection by thesecurity inspection program 111 is not abnormal.

An example of the processing procedure concerning the backup controlprogram will be described below in the case where the result ofinspection by the security inspection program is abnormal. In step 516shown in FIG. 5, the backup control program 508 judges whether anecessary command is to be sent to the storage device or to theadministrator device 900 shown in FIG. 1. At the point of time thatprocessing in this step is completed, the backup control program 508recognizes the fact that the result of security inspection concerningthe host 100 is abnormal because of reception of the inspection log 800.It is therefore necessary to restore data by copying data from a safenew-level backup volume to the volume for replication because the volumefor replication includes illegal data such as viruses/worms or falsifieddata. The system according to this embodiment is configured so thateither a process for instructing the storage device 400 to copy thevolume automatically or a process for alerting the administrator device900 to restore data can be selected in order to satisfy variousrequirements of users. Therefore, the backup control program 508 goes tostep 517 to perform the former process when the value of a restorationjudgment file, for example, set by the administrator device 900 throughthe input device 504 in advance is “0” whereas the backup controlprogram 508 goes to step 519 to perform the latter process when thevalue is “1”.

In step 517 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 which is to be issued to a storage device having avolume to be restored and in which a necessary processing command iswritten. The backup control program 508 restores the volume forreplication to a safe state by issuing a command to the storage deviceto copy data from the new-level backup volume acquired in the step 515to the volume for replication in which illegal data shown by theinspection log 800 is found. FIG. 9 shows an example of the format ofthe inspection log. As shown in FIG. 9, the inspection log 800 includesinformation such as the name of a file in which illegal data is detectedby inspection, the result of inspection, the iSCSI initiator name iniSCSI communication concerning the volume in which data of the file nameis stored, the iSCSI target name, and the LUN. For example, let the filename be/data/html/index.html. Let the result of inspection be abnormal.Let the iSCSI initiator name be ign.a.com:hst1. Let the iSCSI targetname be ign.a.com.str1. Let the LUN be 0. The backup control program 508can specify the volume for replication and the storage device as adestination of the control data 1000 on the basis of the aforementionedinformation so that the volume for replication is the volume 409, andthat the storage device to which the control data 1000 is to be issuedis the storage device 400.

FIG. 10 shows an example of the format of the control data. The controldata 1000 shown in FIG. 10 includes information such as the iSCSI targetname and the LUN specified by the aforementioned process and concerningthe volume 409, and the content of actual processing for the volume(e.g. restore). Accordingly, as shown in FIG. 10, the control data 1000includes information such as the iSCSI target name “iqn.a.com:str1” ofthe storage device 400 and LUN=0 concerning the volume 409 in thisexample, and the content “restore” of processing. The backup controlprogram 508 sends the control data 1000 to the storage device 400through the network 300, for example, by SNMP Tap or the like.

In step 518 shown in FIG. 5, the control data 1000 is received by thestorage controller 401 of the storage device 400. The received controldata 1000 is sent to the data replication program 414 to carry out thefollowing volume copying process.

The data replication program 414 restores (copies) data from thenew-level backup volume acquired in the step 515 to the volume 409 whichcan be specified on the basis of the control data 1000. The datareplication program 414 refers to the multi-level backup volume list 415generated in the step 515 in order to retrieve the new-level backupvolume as a copy source. As shown in FIG. 8, the data replicationprogram 414 can specify new-level backup volumes for the volume 409 onthe basis of the iSCSI target name and LUN of the volume 409 so that thenew-level backup volumes are volumes 410 to 412. Then, the datareplication program 414 copies data from the volume 412 latest inbackup-making time and allowed to be retrieved by referring to themulti-level backup volume list 415 to the volume 409. (If the volumes410 to 412 are provided as differential copies of the volume 409, therestoring process in the step 515 may be performed in order of thenewest volume 412, the volume 411 and the volume 410). Incidentally, onthis occasion, the storage control program 413 may temporarily stopwriting of data from the host 100 into the volume 409 in accordance withnecessity. After completion of the copying, the storage controller 401sends a message indicating the completion of processing to the backupcontrol program 508 through the network 300, for example, by using SNMPTrap or the like.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to the step 512 to repeat the aforementionedprocedure.

In step 519 shown in FIG. 5, the backup control program 508 alerts theadministrator device 900 to the restore command in place of the step517. The alert to the restore command can be achieved by an existingtechnique such as SNMP Trap or mail. The alert includes information suchas the iSCSI target name and LUN of the volume to be restored. Aftercompletion of the aforementioned processing, the backup control program508 goes back to the step 512 to repeat the aforementioned procedure.

By repeating the aforementioned process, the storage device 400 canachieve data restoration of the volume 409 as a subject of restorationeasily and in real time on the basis of data with safety warranted.

Embodiment 2 will be described. In this embodiment, the backup controlprogram 508 is disposed in the storage portion 102 of the host 100. Thesame effect as in Embodiment 1 can be obtained. FIG. 11 is a diagramshowing the configuration of a system according to this embodiment. Thesystem according to this embodiment comprises: a host 1100 having thebackup control program 508; and a storage device 400 connected to thehost 1100 through a network 300. The host 1100 performs execution of thesecurity inspection program, management of copy time in the storagedevice 400, acquisition of volume information as a subject of copying,acquisition of a result of virus check in the host 1100, andtransmission of a copy command (inclusive of a backup command and arestore command) to the storage device 400.

The host in Embodiment 2 will be described. FIG. 12 shows details of thehost. As described above in Embodiment 1, the host 1100 includes aprocessing portion 101, a storage portion 102, network communicationdevice 103 and 104, an input device 105, an output device 106, and a bus107 by which the respective portions and devices 101 to 106 areconnected to one another. As described above in Embodiment 1, thestorage device 102 has an OS program 108, a data communication controlprogram 109 equivalent to an iSCSI initiator, an application program110, a security inspection program 111, and a backup control program508. The respective programs are executed by the processing portion 101.The storage portion 102 further has a mount volume list 112, log data509, and a volume list 510 for replication. Similarly to Embodiment 1described above, the host 1100 communicates with the storage device 400through the network 300 by iSCSI. The data communication control program109 performs a process concerning the iSCSI communication. Let the iSCSIinitiator name be “iqn.a.com:hst1”. As described above, the OS program108 and the application program 110 are reading/writing data from/intothe volume 409 in the storage device by iSCSI communication. Thesecurity inspection program 111 always inspects data exchanged with theclient group 600 and the storage device 400 by the OS program 108 andthe application program 110. The security inspection program 111 detectswriting of illegal data 701 into the volume 409, generates an inspectionlog 800 indicating the writing of illegal data 701 and outputs theinspection log 800 to log data 509.

An example of the procedure in the backup control program executed bythe host 1100 will be described below. Incidentally, since the procedurewhich will be described here is almost the same as that shown in FIG. 5,the procedure will be described with the assistance of FIG. 5. Thefollowing description may be made with the assistance of FIG. 5. In step511 shown in FIG. 5, the backup control program 508 acquires a mountvolume list 112 from the storage portion 102 (the OS program 108) andgenerates a volume list 510 for replication as shown in FIG. 6, in thesame manner as in the step 511 in Embodiment 1. On this occasion, thebackup control program 508 can recognize that the volume 409 connectedto the host 1100 is a volume for replication to make a new-level backupvolume.

In step 512 shown in FIG. 5, the backup control program 508 waits forreception of an inspection log 800 generated by the security inspectionprogram 111, in the same manner as in the step 512 in Embodiment 1. Ifthere is no new inspection log 800 received at the present time, thebackup control program 508 goes to step 513. If there is a newinspection log 800 received, the backup control program 508 goes to step516.

In step 513 shown in FIG. 5, the backup control program 508 checkswhether the present time is a backup time based on a predeterminedbackup period or not, in the same manner as in the step 513 inEmbodiment 1. The administrator device 900 can set the backup period byusing the input device 105. The backup control program 508 judges fromthe present time and the backup period information whether the presenttime is a backup time or not. If the present time is a backup time, thebackup control program 508 goes to step 514. Otherwise, the backupcontrol program 508 goes back to step 512.

In step 514 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 in which a necessary processing command is written, onthe basis of the information of the volume list 510 for replication andissues the control data 1000 to the storage device 400, in the samemanner as in the step 514 in Embodiment 1.

In step 515 shown in FIG. 5, when the control data 1000 is received bythe storage controller 401 of the storage device 400, the datareplication program 414 of the storage device 400 copies data from thevolume 409 to the volume 410 in the same manner as in the step 515 inEmbodiment 1.

After the completion of the aforementioned processing, the backupcontrol program 508 goes back to step 511 to repeat the aforementionedprocedure.

By the aforementioned process, the storage device 400 can generatenew-level backup volumes for the volume 409 easily and in real timewhile safety can be warranted on the basis of the result of inspectionby the security inspection program 111 as described above.

An example of the processing procedure concerning the backup controlprogram will be described below in the case where the result ofinspection by the security inspection program is abnormal. In step 516shown in FIG. 5, the backup control program 508 performs the sameprocess as in the step 516 in Embodiment 1. For example, the backupcontrol program 508 goes to step 517 to perform the former process whenthe value of a restoration judgment file set by the administrator device900 through the input device 504 in advance is “0” whereas the backupcontrol program 508 goes to step 519 to perform the latter process whenthe value is “1”.

In step 517 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 in which a necessary processing command is written, onthe basis of information of the inspection log 800 and issues thecontrol data 1000 to the storage device 400, in the same manner as inthe step 517 in Embodiment 1.

In step 518 shown in FIG. 5, when the control data 1000 is received bythe storage controller 401 of the storage device 400, the datareplication program 414 of the storage device 400 copies data from thevolume 410 to the volume 409 in the same manner as in the step 518 inEmbodiment 1.

After completion of the processing, the backup control program 508 goesback to the step 512 to repeat the aforementioned procedure.

In step .518 shown in FIG. 5, the backup control program 508 performsthe same process as in the step 518 in Embodiment 1.

By repeating the aforementioned processing, the storage device 400 canachieve data restoration of the volume 409 as a subject of restorationeasily and in real time on the basis of data with safety warranted.

Embodiment 3 will be described. In this embodiment, the backup controlprogram 508 described in Embodiment 1 is disposed in the storage portion403 of the storage device 400. The same effect as described inEmbodiment 1 can be obtained. FIG. 13 is a diagram showing theconfiguration of a system according to this embodiment. The systemaccording to this embodiment comprises a host 100, and a storage device1400 connected to the host 100 through a network 300 and including thebackup control program 508. The storage device 1400 performs managementof copy time, acquisition of volume information as a subject of copying,acquisition of a result of virus check by the host 100, and execution ofa copy command (inclusive of a backup command and a restore command).

The storage device in Embodiment 3 will be described. FIG. 14 showsdetails of the storage device. The storage device 1400 includes astorage controller 401 as described above in Embodiment 1. The storagecontroller 401 is configured to have a processing portion. 402, astorage portion 403, a network communication device 404, a storageconnection device 405, an input device 416 for inputting data from aninput device such as a keyboard, an output device 417 for outputtingdata to an output device such as a display, and a bus 406 by which therespective portions and devices 402 to 405, 416 and 417 are connected toone another. The storage device 1400 is configured to further include aphysical disk group 407 connected to the storage controller 401 by a bus408. The physical disk group 407 forms logical units (LUs) for storingdata actually by partially combining data storage regions. The logicalunits (LUs) are represented by volumes 409 to 412. The storage portion403 has a storage control program 413, a data replication program 414,and a backup control program 508. The programs are executed by theprocessing portion 402. The storage portion 403 further has amulti-level backup volume list 415, log data 509, and a volume list 510for replication. The storage device 1400 communicates with the host 100by iSCSI in the same manner as described above. The storage controlprogram 413 is equivalent to an iSCSI target (named as “iqn.a.com:str1”in this embodiment) for performing a process concerning the iSCSIcommunication. The storage control program 413 communicates with thehost 100 through the network communication device 404. Similarly, thedata communication control program 109 of the host 100 performs aprocess concerning the iSCSI communication and an iSCSI initiator nameis iqn.a.com:hst1. As described above, the OS program 108 and theapplication program 110 are reading/writing data from/into the volume409 in the storage device by iSCSI communication. The securityinspection program 111 always inspects data exchanged with the clientgroup 600 and the storage device 1400 by the OS program 108 and theapplication program 110. The security inspection program 111 detectswriting of illegal data 701 into the volume 409 and generates aninspection log 800 in which a massage of the writing of illegal data iswritten.

An example of the procedure in the backup control program executed bythe storage device 1400 will be described below. Incidentally, since theprocedure which will be described here is almost the same as that shownin FIG. 5, the procedure will be described with the assistance of FIG.5. The following description may be made with the assistance of FIG. 5.In step 511 shown in FIG. 5, the backup control program 508 acquires amount volume list 112 from the host 100, etc. and generates a volumelist 510 for replication shown in FIG. 6, in the same manner as in thestep 511 in Embodiment 1. On this occasion, the backup control program508 can recognize that the volume 409 connected to the host 100 is avolume for replication to make a new-level backup volume.

In step 512 shown in FIG. 5, the backup control program 508 waits forreception of an inspection log 800 generated by the security inspectionprogram 111 in the same manner as in the step 512 in Embodiment 1. Ifthere is no new inspection log 800 received at the present time, thebackup control program 508 goes to step 513. If there is a newinspection log 800 received, the backup control program 508 goes to step516.

In step 513 shown in FIG. 5, the backup control program 508 checkswhether the present time is a backup time based on a predeterminedbackup period or not, in the same manner as in the step 513 inEmbodiment 1. The administrator 900 can set the backup period by usingthe input device 416. The backup control program 508 judges from thepresent time and the backup period information whether the present timeis a backup time or not. If the present time is a backup time, thebackup control program 508 goes to step 514. Otherwise, the backupcontrol program 508 goes back to step 512.

In step 514 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 in which a necessary processing command to be executedby the storage device 1400 is written, on the basis of the informationof the volume list 510 for replication and issues the control data 1000to the storage device 1400, in the same manner as in the step 514 inEmbodiment 1.

In step 515 shown in FIG. 5, when the control data 1000 is received bythe storage controller 401 of the storage device 1400, the datareplication program 414 of the storage device 1400 copies data from thevolume 409 to the volume 410 in the same manner as in the step 515 inEmbodiment 1.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 512 to repeat the aforementionedprocedure.

By the aforementioned process, the storage device 1400 can generatenew-level backup volumes for the volume 409 easily and in real timewhile safety is warranted by the result of inspection by the securityinspection program 111.

An example of the procedure concerning the backup control program willbe described below in the case where the result of inspection by thesecurity inspection program is abnormal. In step 516 shown in FIG. 5,the backup control program 508 performs the same process as in the step516 in Embodiment 1. For example, the backup control program 508 goes tostep 517 to perform the former process when the value of a restorationjudgment file set by the administrator device 900 through the inputdevice 416 is “0” whereas the backup control program 508 goes to step519 to perform the latter process when the value of the restorationjudgment file is “1”.

In step 517 shown in FIG. 5, the backup control program 508 generatescontrol data 1000 in which a necessary processing command to be executedby the storage device 1400 is written, on the basis of the informationof the inspection log 800 and issues the control data 1000 to thestorage device 1400, in the same manner as in the step 517 in Embodiment1.

In step 518 shown in FIG. 5, when the control data 1000 is received bythe storage controller 401 of the storage device 1400, the datareplication program 414 of the storage device 1400 copies data from thevolume 410 to the volume 409 in the same manner as in the step 518 inEmbodiment 1.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 512 to repeat the aforementionedprocedure.

In step 519 shown in FIG. 5, the backup control program 508 performs thesame process as in the step 519 in Embodiment 1.

By repeating the aforementioned processing, the storage device 1400 canachieve data restoration of the volume 409 as a subject of restorationeasily and in real time on the basis of data with safety warranted.

Embodiment 4 will be described. This embodiment is configured so that anapplication program for performing an online backup process withwarranted data matching for a database or the like operated on a host isoperated by the backup control program 508. The same effect as inEmbodiment 1 can be obtained. The application program is provided toachieve backup without necessity of temporary stopping of serviceprovided by the application program per se. The application program canbe achieved by an existing technique. The application program writes alldata equivalent to a transaction of a database or the like, into avolume with data matching warranted and then instructs a storage devicehaving the volume to back up the volume. In the meantime, thetransaction data of the application program is temporarily stored in amemory or the like on the host on which the application program isoperating, so that a necessary process can be performed continuously bythe application program.

FIG. 15 is a diagram showing the configuration of a system according tothis embodiment. The system according to this embodiment comprises: ahost 2100 having an application program accommodated to the onlinebackup; a storage device 400 connected to the host 2100 through anetwork 300; and a management server 500 having the backup controlprogram 508. The management server 500 performs management of copy timein the storage device 400, acquisition of volume information as asubject of copying, acquisition of a result of virus check in the host2100, and transmission of a copy command (inclusive of a backup commandand a restore command) to the host 2100.

The host in Embodiment 4 will be described. FIG. 16 shows details of thehost. As described above, the host 2100 includes a processing portion101, a storage portion 102, network communication devices 103 and 104,an input device 105, an output device 106, and a bus 107 by which therespective portions and devices 101 to 106 are connected to one another.The storage portion 102 has an OS program 108 for performing memorymanagement, task management, etc., a data communication control program109 for performing a process of communicating with the storage device400, an application program 2110 such as a database operated on the OSprogram 108 and accommodated to the online backup, and a securityinspection program 111. These programs are executed by the processingportion 101. The storage portion 102 further has a mount volume list112. The host 2100 communicates with the storage device 400 through thenetwork 300 by iSCSI. The data communication control program 109performs a process concerning the iSCSI communication. The datacommunication control program 109 is equivalent to an iSCSI initiator(named as “iqn.a.com:hst1” in this embodiment). As described above, theOS program 108 and the application program 2110 are reading/writing datafrom/into the volume 409 in the storage device by iSCSI communication.The security inspection program 111 always inspects data exchanged withthe client group 600 and the storage device 400 by the OS program 108and the application program 2110. The security inspection program 111detects writing of illegal data 701 into the volume 409 and generates aninspection log 800 in which a message of the writing of illegal data 701is written.

An example of the procedure in the backup control program will bedescribed below with reference to FIG. 17. In step 1511 shown in FIG.17, the backup control program 508 acquires a mount volume list 112 fromthe host 2100 or the like and generates a volume list 510 forreplication as shown in FIG. 6, in the same manner as in the step 511 inEmbodiment 1. On this occasion, the backup control program 508 canrecognize that the volume 409 connected to the host 2100 is a volume forreplication to make a new-level backup volume.

In step 1512 shown in FIG. 17, the backup control program 508 waits forreception of an inspection log 800 generated by the security inspectionprogram 111, in the same manner as in the step 512 in Embodiment 1. Ifthere is no new inspection log 800 received at the present time, thebackup control program 508 goes to step 1513. If there is a newinspection log 800 received, the backup control program 508 goes to step1516.

In step 1513 shown in FIG. 17, the backup control program 508 checkswhether the present time is a backup time based on a predeterminedbackup period or not, in the same manner as in the step 513 inEmbodiment 1. The backup control program 508 judges from the presenttime and the backup period information whether the present time is abackup time or not. If the present time is a backup time, the backupcontrol program 508 goes to step 1514. Otherwise, the backup controlprogram 508 goes back to step 1512.

In step 1514 shown in FIG. 17, the backup control program 508 generatescontrol data 1000 in which a necessary processing command to be issuedto the host is written, on the basis of the volume list 510 forreplication and issues the control data 1000 to the host, in the samemanner as in the step 514 in Embodiment 1. When the same process as inthe step 514 in Embodiment 1 is carried out, the backup control program508 can recognize that the destination of issuing of the control data1000 is the host 2100.

In step 1515 shown in FIG. 17, when the control data 1000 is received bythe OS program 108 or the like in the host 2100, the host 2100 instructsthe application program 2110 to copy the volume on the basis of themount volume list 112 (information on the first line shown in FIG. 6) ofthe host 2100 per se. At the point of time that the instruction isreceived, the application program 2110 writes data in progress (e.g.data included in a transaction in progress) concerning the volume as asubject of the instruction, into the volume with matching warranted andthen issues a volume copy command to the storage device 400. On thisoccasion, the application program 2110 issues a copy command concerningthe volume used by the host 2100 to the storage device 400 on the basisof the mount volume list 112. Then, the data replication program 414 ofthe storage device 400 copies data from the volume 409 to the volume 410in the same manner as in the step 515 in Embodiment 1.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 1512 to repeat the aforementionedprocedure.

By the aforementioned process, the storage device 400 can generatenew-level backup volumes for the volume 409 easily and in real timewhile data matching is warranted and safety is warranted by the resultof inspection by the security inspection program 111.

An example of the procedure concerning the backup control program willbe described below in the case where the result of inspection by thesecurity inspection program is abnormal. In step 1516 shown in FIG. 17,the backup control program 508 performs the same process as in the step516 in Embodiment 1. For example, the backup control program 508 goes tostep 1517 to perform the former process when the value of a restorationjudgment file set by the administrator device 900 through the inputdevice 105 in advance is “0” whereas the backup control program 508 goesto step 1519 to perform the latter process when the value of therestoration judgment file is “1”.

In step 1517 shown in FIG. 17, the backup control program 508 generatescontrol data 1000 in which a necessary processing command to be issuedto the storage device 400 is written, on the basis of the information ofthe inspection log 800 and issues the control data 1000 to the storagedevice 400, in the same manner as in the step 517 in Embodiment 1.

In step 1518 shown in FIG. 17, when the control data 1000 is received bythe storage controller 401 of the storage device 400, the datareplication program 414 of the storage device 400 copies data from thevolume 410 to the volume 409 in the same manner as in the step 518 inEmbodiment 1.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 1512 to repeat the aforementionedprocedure.

In step 1519 shown in FIG. 17, the backup control program 508 performsthe same process as in the step 519 in Embodiment 1.

By repeating the aforementioned processing, the storage device 400 canachieve data restoration of the volume 409 as a subject of restorationeasily and in real time on the basis of data with safety warranted.

Incidentally, this embodiment can be achieved also in the case where thebackup control program 508 is disposed on the host 2100 or on thestorage device 400 as described in Embodiment 2 or 3.

Embodiment 5 will be described. In this embodiment, new-level backupvolumes for a storage device having a volume for replication aregenerated in another storage device on a remote site or the like so thatdata can be prevented from being missing because of a disaster or thelike. FIG. 18 is a diagram showing the configuration of a systemaccording to this embodiment. The system according to this embodimentcomprises a host 100, a first storage device 3200 having the backupcontrol program 508 and connected to the host 100 through a network 300,and a second storage device 3300 arranged on a remote site or the likeand connected to the first storage device 3200 through a network 3100.The first storage device 3200 performs data synchronization between afirst volume of the first storage device 3200 and a second volume of thesecond storage device 3300, transmission of a copy command (inclusive ofa backup command and a restore command) to copy data from the firstvolume of the first storage device 3200 to the second volume of thesecond storage device 3300, management of copy time in the secondstorage device 3300, acquisition of volume information as a subject ofcopying, acquisition of a result of virus check in the host 100,transmission of a copy command (inclusive of a backup command and arestore command) to copy data from the second volume of the secondstorage device 3300 to the first volume of the first storage device3200, and restart of data synchronization between the first volume ofthe first storage device 3200 and the second volume of the secondstorage device 3300.

FIG. 19 shows details of the first storage device. As described above,the first storage device 3200 includes a storage controller 401. Thestorage controller 401 is configured to have a processing portion 402, astorage portion 403, network communication devices 404 and 418, astorage connection device 405, an input device 416, an output device417, and a bus 406 by which the respective portions and devices 402 to405 and 416 to 418 are connected to one another. The first storagedevice 3200 is configured to further include a physical disk group 407connected to the storage controller 401 by a bus 408. The physical diskgroup 407 forms logical units (LUs) for storing data actually bypartially combining data storage regions of physical disks. The logicalunits are represented by volumes 409 to 412 in FIG. 19. The storageportion 403 has a storage control program 413, a data replicationprogram 414, a backup control program 508, and a data synchronizationprogram 3201 for achieving data synchronization between a volume in thestorage device 3200 and a volume in the storage device 3300. Theseprograms are executed by the processing portion 402. The storage portion403 further has a multi-level backup volume list 415, log data 509, anda volume list 510 for replication. As described above, the first storagedevice 3200 communicates with the host 100 (the iSCSI initiator name“iqn.a.com:hst1”) by iSCSI. The OS program 108 and the applicationprogram 110 in the host 100 are reading/writing data from/into thevolume 409 through the storage control program 413 which is equivalentto an iSCSI target (iqn.a.com:str1). The security inspection program 111always inspect data exchanged with the client group 600 and the firststorage device 3200 by the OS program 108 and the application program110. The security inspection program 111 detects writing of illegal data701 into the volume 409 and generates an inspection log 800 in which amessage of the writing of illegal data 701 is written. The storagecontrol program 413 performs a process equivalent to an iSCSI initiator(named as “iqn.a.com:str1.Ini” in this embodiment) in order tocommunicate with the second storage device 3300 which will be describedlater through the network 3100 by iSCSI.

FIG. 20 shows details of the second storage device. The second storagedevice 3300 includes a storage controller 3301 for controlling thestorage device 3300 as a whole. The storage controller 3301 has: aprocessing portion 3302 having a CPU, etc; a storage portion 3303 havinga storage device such as an RAM; a network communication device 3304; aninput device 3305 for inputting data from an input device such as akeyboard; an output device 3306 for outputting data to an output devicesuch as a display; a storage connection device 3307; and a bus 3308 bywhich the respective portions and devices 3302 to 3307 are connected toone another. The second storage device 3300 further includes a physicaldisk group 3309 connected to the storage controller 3301 by a bus 3310.The physical disk group 3309 forms logical units (LUs) for storing dataactually by partially combining data storage regions of physical disks.The logical units are represented by volumes 3311 to 3314 in FIG. 20.The storage portion 3303 has: a storage control program 3315 formanaging access to the volumes 3311 to 3314; and a data replicationprogram 3316 for copying data from one volume to another volume. Theseprograms are executed by the processing portion 3302. The storageportion 3303 further has a multi-level backup volume list 3317 forstoring log information processed by the data replication program 3316.The second storage device 3300 is physically connected to the network3100 by the network communication device 3304, so that a networkcommunication process concerning the second storage device 3300 iscarried out on the basis of a communication protocol of the network3100. For example, the communication protocol is IP. The second storagedevice 3300 communicates with the first storage device 3200 by iSCSI.The storage control program 315 is equivalent to an iSCSI target (namedas “iqn.a.com:str2” in the embodiment) for carrying out the processconcerning the iSCSI communication, and communicated with the firststorage device 3200 through the network communication device 3304.Incidentally, it is assumed now that LUN=0, 1, 2, 3 are allocated to thevolumes 3311 to 3314.

As described above, in this embodiment, a new-level backup volume for astorage device having a volume for replication is generated in anothervolume of another storage device on a remote site or the like so thatdata can be prevented from being missing because of a disaster or thelike. Therefore, description will be made on the assumption that thevolume for replication is the volume 409 of the first storage device3200 while another storage device on a remote site or the like is thesecond storage device 3300.

First, the first storage device 3200 performs data synchronizationbetween the volume 409 of the first storage device 3200 and the volume3311 of the second storage device 3300. In the first storage device3200, the data synchronization is executed by the data synchronizationprogram 3201 so that the state of data in the volume 409 and the stateof data in the volume 3311 are kept equal to each other. Specifically,the first storage device 3200 uses the iSCSI initiator“iqn.a.com:str1.Ini” to connect the iSCSI initiator to the iSCSI target“iqn.a.com:str2” of the second storage device 3300 and performs datasynchronization for the volume 3311 connectable in the iSCSI target. Thedata synchronization can be achieved by an existing technique.

An example of the procedure in the backup control program will bedescribed below with reference to FIG. 21. In step 2511 shown in FIG.21, the backup control program 508 acquires a mount volume list 112 fromthe host 100 or the like and generates a volume list 510 for replicationas shown in FIG. 6, in the same manner as in the step 511 inEmbodiment 1. On this occasion, the backup control program 508 canrecognize that the volume 409 connected to the host 100 is a volume forreplication to make a new-level backup volume.

In step 2512 shown in FIG. 21, the backup control program 508 waits forreception of an inspection log 800 generated by the security inspectionprogram 111, in the same manner as in the step 512 in Embodiment 1. Ifthere is no new inspection log 800 received at the present time, thebackup control program 508 goes to step 2513. If there is a newinspection log 800 received, the backup control program 508 goes to step2516.

In step 2513 shown in FIG. 21, the backup control program 508 checkswhether the present time is a backup time based on a predeterminedbackup period or not, in the same manner as in the step 513 inEmbodiment 1. The administrator 900 (not shown in FIG. 18) can set thebackup period by using the input device 416. The backup control program508 judges from the present time and the backup period informationwhether the present time is a backup time or not. If the present time isa backup time, the backup control program 508 goes to step 2514.Otherwise, the backup control program 508 goes back to step 2512.

In step 2514 shown in FIG. 21, the backup control program 508 generatescontrol data 3400 in which a necessary processing command to be executedby the first storage device 3200 is written, on the basis of theinformation of the volume list 510 for replication and issues controldata 3400, in the same manner as in the step 514 in Embodiment 1. Onthis occasion, the volume 409 in the first storage device 3200 isdata-synchronized with the volume in the other (second) storage device.Therefore, the backup control program 508 issues the control data 3400to the storage device having the volume. As described above, on thisoccasion, the data synchronization program 3201 performs datasynchronization between the volume 409 and the volume 3311 in the secondstorage device 3300. Accordingly, the data synchronization program 3201can make the first storage device 3200 recognize that the volume forreplication is the volume 3311 in the second storage device 3300. Forexample, the format of the control data 3400 is the same as in FIG. 7.The control data 3400 includes information such as the iSCSI target name“iqn.a.com:str2” and LUN=0 for indicating the volume 3311, and thecontent of processing “make a new-level backup volume”. The control data3400 is issued to the second storage device 3300.

In step 2515 shown in FIG. 21, when the control data 3400 is received bythe storage controller 3301 of the storage device 3300, the datareplication program 3316 of the storage device 3300 copies data from thevolume 3311 to the volume 3312 in the same manner as in the step 515 inEmbodiment 1. The data replication program 3316 generates a multi-levelbackup volume list 3317 which is log information of volume copying asshown in FIG. 22.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 2512 to repeat the aforementionedprocedure.

By the aforementioned process, the first storage device 3200 cangenerate new-level backup volumes for the volume 409 in the otherstorage device on a remote site or the like easily and in real timewhile safety is warranted by the result of inspection by the securityinspection program 111.

An example of the procedure concerning the backup control program willbe described below in the case where the result of inspection by thesecurity inspection program is abnormal. In step 2516 shown in FIG. 21,the backup control program 508 performs the same process as in the step516 in Embodiment 1. For example, the backup control program 508 goes tostep 2517 to perform the former process when the value of a restorationjudgment file set by the administrator device 900 through the inputdevice 416 in advance is “0” whereas the backup control program 508 goesto step 2519 to perform the latter process when the value of therestoration judgment file is “1”.

In step 2517 shown in FIG. 21, the backup control program 508temporarily stops the data synchronization which is performed betweenthe volume 409 and the volume 3311 by the data synchronization program3201.

In step 2518 shown in FIG. 21, the backup control program 508 generatescontrol data 3400 in which a necessary processing command to be executedby the first storage device 3200 is written, on the basis of theinformation of the inspection log 800 and issues the control data 3400,in the same manner as in the step 517 in Embodiment 1. As describedabove, the volume 409 in the first storage device 3200 isdata-synchronized with the volume in the other (second) storage device.Therefore, the backup control program 508 generates control data 3400 bythe aforementioned process and issues the control data 3400 to thesecond storage device 3300. For example, the format of the control data3400 is the same as shown in FIG. 10.

In step 2519 shown in FIG. 21, when the control data 3400 is received bythe storage controller 3301 of the second storage device 3300, the datareplication program 3316 of the second storage device 3300 copies datafrom the volume 3314 to the volume 3311 in the same manner as in thestep 518 in Embodiment 1.

In step 2520 shown in FIG. 21, the backup control program 508 restartsthe data synchronization which is performed between the volume 409 andthe volume 3311 by the data synchronization program 3201 and which hasbeen temporarily stopped in the step 2517. On this occasion, the storagecontroller 401 of the first storage device 3200 performs a process ofcopying data from the volume 3311 in the second storage device 3300 tothe volume 409 in the first storage device 3200 in advance. This processcan be achieved in such a manner that data is read from the volume 3311by an iSCSI initiator process executed by the storage control program413. As a result, data in the volume 409 is rewritten to safe datarestored by the step 2519.

After completion of the aforementioned processing, the backup controlprogram 508 goes back to step 2512 to repeat the aforementionedprocedure.

In step 2521 shown in FIG. 21, the backup control program 508 performsthe same process as in the step 519 in Embodiment 1.

By repeating the aforementioned processing, the first storage device3200 can achieve data restoration of the volume 409 as a subject ofrestoration easily and in real time on the basis of data with safetywarranted.

Incidentally, this embodiment can be achieved also in the case where thebackup control program 508 is disposed on the management server 500 oron the host 100 as described in Embodiment 1 or 2. Incidentally, in thiscase, the backup control program 508 needs to be allowed to communicatewith the second storage device 3300 through the network 3100 or thelike. Although the embodiments have been described on the case wherenew-level backup volumes are generated, it is a matter of course thatthe invention can be applied to the case where one new-level backupvolume, that is, a replicated volume is generated.

A further embodiment of the invention is a storage network system inwhich the host has second copy command issuing means for issuing a copycommand to a storage device having an abnormal volume so that data canbe copied from another volume which was copied on the basis of a copycommand issued by the copy command issuing means, to the abnormal volumewhen the content of the inspection log acquired by the inspection logacquiring means is abnormal.

In the network storage system, the host may further have administratoralert means for alerting the administrator of the storage device havingthe abnormal volume when the content of the inspection log acquired bythe inspection log acquiring means is abnormal.

A further embodiment of the invention is a storage network systemcomprising: a storage device including volumes for recording data, andnetwork communication means; a host including means of reading/writingdata from/into the volumes through a network; and a management serverincluding means of connecting the storage device and the host to eachother through a network, wherein the management server includes: copytime management means for managing the time of issuing a copy command tocopy data from the volume to another volume; mount informationacquisition means for acquiring mount information concerning volumes inthe storage device to which the host is connected at present; a securityinspection program for performing security inspection of datacommunicated by the host through the network and generating aninspection log inclusive of a result of the security inspection;inspection log acquisition means for acquiring the inspection loggenerated by the security inspection program whenever occasion demands;storage-specified copy command issuing means for specifying a storagedevice having a volume included in the mount information acquired by themount information acquisition means and having no abnormality detected,and issuing a command to the specified storage device to copy data fromthe volume to another volume; second storage-specified copy commandissuing means for specifying a storage device having a volume includedin the mount information acquired by the mount information acquisitionmeans and having abnormality detected when the content of the inspectionlog concerning the volume includes abnormality at the time at which acommand to copy data from the volume to the other volume is issued, andissuing a command to the specified storage device to copy data from theother volume to the volume, the other volume storing data which wascopied by the copy command issued by the storage-specified copy commandissuing means in the past.

A further embodiment of the invention is a storage network systemcomprising: a storage device including volumes for recording data, andnetwork communication means; and a host including means ofreading/writing data from/into the volumes through a network, whereinthe host includes a security inspection program, copy time managementmeans, mount information acquisition means, inspection log acquisitionmeans, storage-specified copy command issuing means, and secondstorage-specified copy command issuing means.

In the storage network system comprising: a storage device includingvolumes for recording data, and network communication means; and a hostincluding means of reading/writing data from/into the volumes of thestorage device through a network, the storage device may include copytime management means, mount information acquisition means, inspectionlog acquisition means, storage-specified copy command issuing means, andsecond storage-specified copy command issuing means.

A further embodiment of the invention is a storage network systemcomprising: a storage device including volumes for recording data, andnetwork communication means; a host including means of reading/writingdata from/into the volumes of the storage device through a network; anda management server including means of being connected to the storagedevice and the host through a network, wherein the management serverincludes: copy time management means; mount information acquisitionmeans; inspection log acquisition means; host-specified copy commandissuing means for specifying a host using a volume included in the mountinformation acquired by the mount information acquisition means andhaving no abnormality detected and issuing a command to the applicationprogram of the specified host to copy data from the volume to anothervolume when the content of the inspection log concerning the hostincludes no abnormality at the time when a command is issued to theapplication program of the host to copy data from the volume to theother volume; and second host-specified copy command issuing means forspecifying a host using a volume included in the mount informationacquired by the mount information acquisition means and havingabnormality detected and issuing a command to the application program ofthe specified host to copy data from the other volume to the volume whenthe content of the inspection log concerning the host includesabnormality, the other volume storing data which was copied by the copycommand issued by the host-specified copy command issuing mean in thepast.

A further embodiment of the invention is a storage network systemcomprising: a storage device including volumes for recording data, andnetwork connection means; and a host including means of reading/writingdata from/into the volumes of the storage device through a network, andan application program having a function for issuing a command to copydata from a volume of the storage device to another volume, wherein thehost includes: a security inspection program; copy time managementmeans; mount information acquisition means; inspection log acquisitionmeans; host copy command issuing means for issuing a command to theapplication program using a volume included in the mount informationacquired by the mount information acquisition means and having noabnormality detected to copy data from the volume to another volume whenthe content of the inspection log concerning the host includes noabnormality at the time at which the command is issued to theapplication program to copy data from the volume to the other volume;and second host copy command issuing mean for issuing a command to theapplication program using a volume included in the mount informationacquired by the mount information acquisition means and havingabnormality detected to copy data from the other volume to the volumewhen the content of the inspection log concerning the host includesabnormality, the other volume storing data which was copied by the copycommand issued by the host copy command issuing means in the past.

In the storage network system comprising: a storage device includingvolumes for recording data, and network connection means; and a hostincluding means of reading/writing data from/into the volumes of thestorage device through a network, and an application program having afunction for issuing a command to copy data from a volume of the storagedevice to another volume, the storage device may include copy timemanagement means, mount information acquisition means, inspection logacquisition means, host-specified copy command issuing means, and secondhost-specified copy command issuing means.

A further embodiment of the invention is a storage network systemcomprising: a first storage device including volumes for recording data,and network connection mean; a host including means of reading/writingdata from/into the volumes of the first storage device through anetwork; a second storage device including volumes for recording data,and network connection means and connected to the first storage device;and a management server including means of being connected to the firstand second storage devices and the host through a network, wherein thefirst storage device includes means for performing data synchronizationbetween a first volume of the first storage device and a second volumeof the second storage device, wherein the host includes a securityinspection program for performing security inspection of datacommunicated through the network, and an application program having afunction of issuing a command to copy data from the first volume of thefirst storage device to the second volume of the second storage device,wherein the management server includes second copy time management meansfor managing the time at which a command to copy data from the secondvolume of the second storage device to another volume is issued, mountinformation acquisition means, inspection log acquisition means, secondstorage-specified copy command issuing means for specifying the firststorage device having a volume included in the mount informationacquired by the mount information acquisition means and having noabnormality detected and issuing a command to the second storage devicehaving a second volume data-synchronized with the first volume to copydata from the second volume to another volume when the content of theinspection log concerning the volume includes no abnormality at the timeat which a copy command is issued by management of the second copy timemanagement means, synchronization restart means for specifying the firststorage device having the first volume included in the mount informationacquired by the mount information acquisition means and havingabnormality detected in the inspection log, temporarily stopping thedata synchronization executed between the first volume and the secondvolume by the first storage device, issuing a command to the secondstorage device having the second volume data-synchronized with the firstvolume to copy data from the other volume copied by the copy commandissued by the second storage-specified copy command issuing means in thepast to the second volume, and issuing a command to the first storagedevice to restart the data synchronization between the first volume andthe second volume.

In the storage network system, the management server may include: secondcopy time management means for managing the time at which a command tocopy data from the second volume of the second storage device to anothervolume; mount information acquisition means; inspection log acquisitionmeans; second storage-specified copy command issuing means forspecifying the first storage device having a volume included in themount information acquired by the mount information acquisition meansand having no abnormality detected, and issuing a command to the secondstorage device having the second volume data-synchronized with the firstvolume to copy data from the second volume to another volume when thecontent of the inspection log concerning the volume includes noabnormality at the time at which a copy command is issued by managementof the second copy time management means; and synchronization restartmeans for specifying the first storage device having the first volumeincluded in the mount information acquired by the mount informationacquisition means and having abnormality detected in the inspection log,temporarily stopping the data synchronization executed between the firstvolume and the second volume by the first storage device, issuing acommand to the second storage device having the second volumedata-synchronized with the first volume to copy data from the othervolume copied by the copy command issued by the second storage-specifiedcopy command issuing means in the past to the second volume, and issuinga command to the first storage device to restart the datasynchronization between the first volume and the second volume.

A further embodiment of the invention is a storage network systemcomprising: a first storage device including volumes for recording data,and network connection means; a host including means of reading/writingdata from/into the volumes of the first storage device through anetwork; and a second storage device including volumes for recordingdata, and network connection means and connected to the first storagedevice, wherein the first storage device includes: means for performingdata synchronization between a first volume of the first storage deviceand a second volume of the second storage device; an application programhaving a function of issuing a command to copy data from the firstvolume to the second volume of the second storage device; second copytime management means for managing the time at which a command to copydata from the second volume of the second storage device to anothervolume is issued; mount information acquisition means; inspection logacquisition means; third storage-specified copy command issuing meansfor specifying a volume included in the mount information acquired bythe mount information acquisition means and having no abnormalitydetected and issuing a command to the second storage device having thesecond volume data-synchronized with the first volume to copy data fromthe second volume to another volume when the content of the inspectionlog concerning the volume includes no abnormality at the time at which acopy command is issued by management of the second copy time managementmeans; and second synchronization restart command issuing means forspecifying the first volume included in the mount information acquiredby the mount information acquisition means and having abnormalitydetected in the inspection log, temporarily stopping the datasynchronization between the first volume and the second volume, issuinga command to the second storage device having the second volumedata-synchronized with the first volume to copy data from the othervolume copied by the copy command issued by the third storage-specifiedcopy command issuing means in the past to the second volume, and issuinga command to restart the data synchronization between the first volumeand the second volume.

A further embodiment of the invention is a storage network systemcomprising: a first storage device including volumes for recording data,and network connection means; a host including means of reading/writingdata from/into the volumes of the first storage device through anetwork; and a second storage device including volumes for recordingdata, and network connection means and connected to the first storagedevice, wherein the host includes: a security inspection program forperforming security inspection of data communicated through the network;an application program having a function of issuing a command to copydata from a first volume of the first storage device to a second volumeof the second storage device; second copy time management means formanaging the time at which a command to copy data from the second volumeof the second storage device to another volume is issued; mountinformation acquisition means; inspection log acquisition means; secondstorage-specified copy command issuing means for specifying the firststorage device having a volume included in the mount informationacquired by the mount information acquisition means and having noabnormality detected, and issuing a command to the second storage devicehaving the second volume data-synchronized with the first volume to copydata from the second volume to another volume when the content of theinspection log concerning the volume includes no abnormality at the timeat which a copy command is issued by management of the second copy timemanagement means; and synchronization restart command issuing means forspecifying the first storage device having the first volume included inthe mount information acquired by the mount information acquisitionmeans and having no abnormality detected in the inspection log,temporarily stopping the data synchronization executed between the firstvolume and the second volume by the first storage device, issuing acommand to the second storage device having the second volumedata-synchronized with the first volume to copy data from the othervolume copied by the copy command issued by the second storage-specifiedcopy command issuing means in the past to the second volume, and issuinga command to the first storage device to restart the datasynchronization between the first volume and the second volume.

A further embodiment of the invention is a storage network systemcomprising: a storage device including volumes for recording data, andnetwork connection means; a host including means of reading/writing datafrom/into the volumes through a network; and a management serverincluding means of being connected to the storage device and the hostthrough a network, wherein the host includes: a processing portion; astorage portion having a data communication control program, and asecurity inspection program for performing security inspection of datacommunicated through the network and generating an inspection loginclusive of a result of the security inspection; a networkcommunication device, an input device, an output device, and a bus bywhich the respective portions and devices of the host are connected toone another, wherein the storage device includes a storage controller, aphysical disk group, and a bus by which the storage controller and thephysical disk group are connected to each other, the storage controllerhaving: a processing portion; a storage portion having a storage controlprogram, and a data replication program; a network communication device;and a storage connection device, and wherein the management serverincludes: a processing portion; a storage portion having a backupcontrol program; a network communication device; an input device; anoutput device; and a bus by which the respective portions and devices ofthe management server are connected to one another.

Copying of a safe volume without wider-range illegal data not onlyinclusive of viruses and worms but also inclusive of falsification andillegal interpolation of data such as Web contents can be achievedspeedily and easily. In addition, because the administrator's laborrequired for copying a safe volume or restoring a volume to the safevolume can be reduced greatly, highly reliable service can be providedwhile the continuity of the service is not spoiled.

It should be further understood by those skilled in the art thatalthough the foregoing description has been made on embodiments of theinvention, the invention is not limited thereto and various changes andmodifications may be made without departing from the spirit of theinvention and the scope of the appended claims.

1. A system comprising: a storage device including volumes for recordingdata, and a network connection portion; a computer for reading/writingdata from/into the volumes through a network; a network for connectingthe storage device and the computer to each other; and a second computerconnected to the network, wherein the computer inspects the content ofaccess to the storage device, collects an inspection log as a result ofthe inspection and sends the inspection log to the second computer atpredetermined timing, wherein the second computer sends a copy commandto the storage device through the network on the basis of the inspectionlog to copy data from one volume of the storage device to another volumeof the storage device, and wherein the storage device copies data fromthe volume to the other volume on the basis of the command given by thesecond computer.
 2. A system according to claim 1, wherein when theinspection log includes illegal data indicating abnormality of thecontent of access, the second computer stops issuing of the command. 3.A system according to claim 2, wherein the abnormality means the casewhere a computer virus is present in the content of access, and whereinthe second computer stops issuing of the command when the inspection logincludes illegal data indicating the presence of the computer virus. 4.A system according to claim 2, wherein the second computer issues asecond command to rewrite data stored in the volume with data stored ina third volume of the storage device when the inspection log includesillegal data indicating the abnormality, and wherein the storage deviceoverwrite data stored in the volume with data stored in the third volumewhen the second command is received.
 5. A system according to claim 4,wherein data stored in the third volume is data which was stored thevolume in the past.
 6. A system according to claim 5, wherein the secondcomputer alerts a system administrator to the presence of the computervirus when the inspection log includes illegal data indicating theabnormality.
 7. A system according to claim 6, wherein when theinspection log includes no abnormality, the second computer sends thecommand to the storage device periodically.
 8. A system according toclaim 1, wherein the predetermined timing is a point of time when thecomputer detected abnormality in the content of access.
 9. A systemaccording to claim 1, wherein the first computer and the second computerare included in one apparatus.
 10. A system according to claim 1,wherein the second computer and the storage device are included in oneapparatus.
 11. A system according to claim 1, wherein the secondcomputer specifies the volume as a subject of the access processing andinstructs the storage device to copy data from the volume to the othervolume.
 12. A system according to claim 1, wherein the network, thecomputer and the storage device perform data transfer according to aniSCSI protocol.
 13. A computer connected to a storage device through anetwork, comprising: an interface connected to the network; a controlportion; and a storage portion, wherein the control portion receivesinformation of the content of access to the storage device through thenetwork, and sends a command on the basis of the information of accessto copy data from a volume of the storage device to another volume ofthe storage device.
 14. A computer according to claim 13, wherein whenthe information of the content of access includes information indicatingabnormality, the control portion stops transmission of the command. 15.A computer according to claim 14, wherein when the information of thecontent of access includes information indicating abnormality, thecontrol portion sends a command to the storage device to copy data froma third volume to the other volume, the third volume included in thestorage device and storing data which was stored in the volume in the.past.
 16. A system comprising: a storage device including volumes forrecording data, and a network connection portion; a computer forreading/writing data from/into the volumes through a network; a networkfor connecting the storage device and the computer to each other; and asecond computer connected to the network, wherein the computer inspectsthe content of data access to the storage device, collects an inspectionlog as a result of the inspection and sends the inspection log to thesecond computer at predetermined timing, wherein the second computersends a command to the storage device through the network on the basisof the inspection log to copy data from a volume of the storage deviceto another volume of the storage device, wherein the storage devicecopies data from the volume to the other volume on the basis of thecommand given by the second computer, wherein when the inspection logincludes data indicating abnormality in the content of access, thesecond computer stops issuing of the command, wherein when theinspection log includes data indicating the abnormality, the secondcomputer issues a second command to rewrite data stored in the volumewith data stored in a third volume of the storage device, wherein thestorage device overwrites data stored in the volume with data stored inthe third volume when the second command is received, and wherein thedata stored in the third volume is data which was stored in the volumein the past.